Twitter has closed a coding loophole that sent automated spam messages and redirected users to pornographic websites

The exploit took advantage of a cross-site scripting (XSS) vulnerability, and used a JavaScript command to generate spam tweets and redirect users to pornographic websites.

The tweets contained links with the command string “onmouseover” which triggered the spam messages and redirects whenever a Twitter user hovered their mouse over the link.

Twitter said it had patched the vulnerability, and that the problem had been resolved. However, a number of high-profile Twitter users, including Sarah Brown, the wife of the former Prime Minister, were caught up in the scam.

“We have identified and are patching an XSS attack,” said Twitter on its site safety feed earlier today.

Del Harvey, one of the senior engineers on Google’s safety team, subsequently sent a tweet to say that the loophole had been “fully patched” and was “no longer exploitable”.

The BBC reports that a Twitter user named Magnus Holm sent the first message containing the code, and appears to be the originator of the attack.

“I wrote the first worm that has been spreading,” Holm told the BBC. “I simply wanted to exploit the hole without doing any real harm. It started off as, ‘ha, no way is this going to work’.”

Holm estimates that his worm has been passed around Twitter by at least 200,000 tweets.

“It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” said Graham Cluley, a security expert with Sophos.

Twitter users who accessed their account through third-party apps and clients appeared to be unaffected by the exploit.